The focus of this week’s blog is information classification. Let’s start with first principles – What exactly do we mean by information classification? In its simplest form, information classification is the process by which we assess the information we hold and identify the appropriate level of protection it must be given. This protection may focus on confidentiality, integrity, availability, or any combination of these, but generally, most organisations opt to base their classification schemes around confidentiality.
A classification scheme can have any number of classifications, but in order to be practical, most organisations are likely to stick with three or four levels. A typical scheme may contain the following levels:
So, if you’re developing an information classification programme, where do you start? As a first step, all information needs to be recorded in an inventory and allocated to an ‘owner’ (best to allocate this to a role rather than named individual). Each group of information assets need to go through a risk assessment process, based on the holy trinity of confidentiality (making sure only those who should be able to see it, can see it), integrity (the information is up to date and accurate and free from corruption) and availability (It can be seen by those who have a right to see it, when they want to see it). Information is often scored on a 1-3 (High, medium, low) scale, based on the impact the organisation would suffer if the information were to be breached, although there are many examples where greater granularity and detail may be provided.
Under control objective A.8.2 of ISO 27001, you are required ‘To ensure that information receives an appropriate level of protection in accordance with its importance to the organization’. This includes (under A.8.2.1) ensuring that ‘Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification’. As mentioned previously, most organisations tend to classify their information based upon its confidentiality requirements, e.g. the impact that the organisation would experience if an unauthorised disclosure was to take place.
Once we’ve decided how important the information is, we can start looking at strategies to protect it. Each classification will have a basic set of information handling rules which should cover the whole lifecycle of the information, i.e. from creation through to disposal covering who can see it, how it should be stored, how it should be communicated (both physically and electronically) and how it should be disposed of when no longer required. Staff will need to be trained to handle information appropriately as determined by its classification. In order that they can do this the information will need to be labelled in such a way that it is immediately apparent what classification it bears and thus what type of handling is required. The most important thing is that there is an easy to understand approach such as the three-tier classification scheme mentioned above, coupled with a clear set of guidelines supported by a Policy which explicitly states how information should be classified and once it has been what can and can’t be done with it. And, as with most things, this approach needs to be regularly revisited and reassessed for currency and effectiveness.
The key, as with most things, is to define an approach, keep it simple, and then communicate it!
One example of where appropriate classification and handling may not have been implemented is the release of documents by Edward Snowden. If information is classified ‘top secret’ we should be very clear within the handling guidelines who is allowed to have access, how it should be communicated (including when in hardcopy and electronic), where and how it should be stored and what happens to it when it is no longer required. If we look back at the Snowden incident it could be argued that one of the many failings was as a result of incorrect classification. As was quoted during the investigation, ‘A typical NSA (National Security Agency) worker had a “top secret” security clearance, which gives access to most, but not all, classified information.’ Snowden also had the enhanced privileges of a “system administrator.” The NSA, which had as many as 40,000 employees, has 1,000 system administrators, most of the contractors. As a system administrator, Snowden was allowed to look at any file he wanted, and, given his location and mode of access, his actions were largely unaudited and undetected – no flags were raised. In most organisations, systems administrators are there to look after the systems themselves but are not necessarily required to see the information within the system in order to carry out this function. Controls should have been implemented to ensure that he could still do his job, but at the same time, not be able to access information not required to carry out his role.